[cairo-bugs] [Bug 10730] potential controllable integer overflow in
cairo-png.c
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Apr 24 06:20:13 PDT 2007
http://bugs.freedesktop.org/show_bug.cgi?id=10730
------- Comment #5 from otaylor at redhat.com 2007-04-24 06:20 PST -------
I don't remember all the considerations, but for the
same math in gdk_pixbuf_new() I decided to go with the simple approach of
dividing out and making sure that the result was the same:
rowstride = width * channels;
if (rowstride / channels != width || rowstride + 3 < 0) /* overflow */
return NULL;
rowstride = (rowstride + 3) & ~3;
bytes = height * rowstride;
if (bytes / rowstride != height) /* overflow */
return NULL;
(The quantities here are signed, so that's one reason that the "check if
the result is less" approach doesn't work. C doesn't even define the
results of an overflowing multiplication of signed integers, IIRC. But
there may be other reasons as well. or not.)
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the cairo-bugs
mailing list